Description
SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment (of administrator privileges) during the editing of an author data structure because of STATUT mishandling.
Published: 2026-03-22
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the author management feature of SPIP CMS, where the status field is incorrectly handled, allowing a non‑administrator to assign administrator privileges to an author record. This flaw permits an attacker to elevate privileges to full administrative control over the site, potentially compromising confidential data, modifying site settings, and executing further attacks. The weakness corresponds to inadvertent privilege assignment as classified by CWE‑688.

Affected Systems

The issue affects SPIP CMS versions 4.4.10 through 4.4.12. The vendor SPIP is identified as the affected product. Users running these releases are susceptible to the flaw, while version 4.4.13 and later are not impacted.

Risk and Exploitability

The CVSS score of 6.7 places the vulnerability in the medium severity range, and the EPSS score of less than 1% indicates a low likelihood of widespread exploitation at present. The flaw is not listed in the CISA Known Exploited Vulnerabilities catalog, suggesting it has not yet been abused in the wild. However, exploitation is feasible via the normal administrative interface; an attacker would need to create or edit an author record, after which the SYSTEM could grant administrative rights. This represents a significant risk to site owners who rely on the default SPIP author management workflow.

Generated by OpenCVE AI on April 2, 2026 at 22:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the SPIP 4.4.13 release or later, which removes the mistaken STATUT handling and restores correct privilege checks.

Generated by OpenCVE AI on April 2, 2026 at 22:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6174-1 spip security update
History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Unauthorized Administrator Assignment in SPIP CMS

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:spip:spip:*:*:*:*:*:*:*:*

Wed, 25 Mar 2026 15:00:00 +0000

Type Values Removed Values Added
Title Privilege Escalation via Unauthorized Administrator Assignment in SPIP CMS

Tue, 24 Mar 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Spip
Spip spip
Vendors & Products Spip
Spip spip

Sun, 22 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
Description SPIP 4.4.10 through 4.4.12 before 4.4.13 allows unintended privilege assignment (of administrator privileges) during the editing of an author data structure because of STATUT mishandling.
Weaknesses CWE-688
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L'}

Subscriptions

Spip Spip
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-02T17:58:46.498Z

Reserved: 2026-03-22T02:03:47.214Z

Link: CVE-2026-33549

cve-icon Vulnrichment

Updated: 2026-03-23T15:16:41.626Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-22T03:16:01.237

Modified: 2026-04-17T21:13:29.500

Link: CVE-2026-33549

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:39:16Z

Weaknesses